react2shell is an educational security research project demonstrating how unsafe deserialization and trust boundary violations in server-side frameworks can lead to Remote Code Execution (RCE).
The project is built using Next.js 16 Server Actions and showcases how malformed client input, when improperly validated, can execute unintended server-side logic.
This repository is strictly for learning and security awareness purposes.
- https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
- https://gist.github.com/akshaymarch7/65c8b5ed2f0b19ca9b480b55da38f809
- https://gist.github.com/akshaymarch7/1da1558d1a1a04e29ae50d0de7a360ad
- How Server Actions process
multipart/form-data - Why deserializing untrusted input is dangerous
- How JavaScript prototype pollution & thenable resolution can break application assumptions
- How a seemingly harmless request can trigger server-side execution
- Why RCE is considered a critical severity vulnerability
- Remote Code Execution (RCE)
- Trust boundaries (Client → Server)
- Unsafe deserialization
- Prototype pollution
- Server-side JavaScript execution
- Framework-level security assumptions
When a specially crafted request is sent:
- The server logs unexpected output (
meowmeow) - The execution occurs on the server, not in the browser
- No authentication or authorization is required
- The application runtime is compromised
This confirms server-side code execution.
If deployed publicly, this class of vulnerability could allow an attacker to:
- Execute arbitrary server commands
- Read environment variables and secrets
- Modify application source code
- Access databases and internal services
- Persist backdoors
- Abuse cloud infrastructure
This is why such vulnerabilities receive CVSS scores of 9.8–10.0.
This project should only be run:
- Locally
- Inside a disposable environment (VM or Docker)
- Without real credentials
- Without internet access
- Never on cloud platforms (Vercel, AWS, Render, Railway, etc.)
This repository exists to:
- Improve understanding of modern web security risks
- Demonstrate why framework internals matter
- Encourage defensive programming
- Promote secure API and action design
No production usage is intended or supported.
The author assumes no responsibility for misuse of this code.
By using this repository, you acknowledge that:
- You understand the risks
- You will not deploy it publicly
- You are using it solely for educational purposes
This project was built to deepen understanding of:
- Next.js internals
- Server Action security
- Real-world vulnerability classes